[Opendnssec-user] Serial problem after rollover in 2.0.1

Fred.Zwarts F.Zwarts at KVI.nl
Fri Sep 16 10:59:18 UTC 2016 

"Yuri Schaeffer"  schreef in bericht 
news:7b52287e-c6d9-7862-dcdc-3c9db8c8f839 at nlnetlabs.nl...
>
>> We never had this problem with 1.4. From our /etc/opendnssec/kasp.xml:
>>
>> <Zone>
>>        <PropagationDelay>PT15H</PropagationDelay>
>>        <SOA>
>>                <TTL>PT86400S</TTL>
>>                <Minimum>PT10800S</Minimum>
>>                <Serial>datecounter</Serial>
>>        </SOA>
>> </Zone>
>>
>> The kasp.xml has not been touched since December 2015.
>> So, there must be something else. Could it be that the migration of the
>> database changed it from datacounter to keep?
>> Should I update the configuration after the migration?
>
>The log message really seem to suggest 'keep' is used. Can you check the
>SOA section of /var/opendnssec/signconf/kvi.nl (or similar path)?
>
>If it says 'keep' in the signconf you should make sure the enforcerd
>reads the kasp.xml from the correct location. If it does -something odd
>has happend during conversion- you can issue a 'ods-enforcer policy
>import' to have the enforcer reread the kasp.xml.
>
>Regards,
>Yuri

Thanks! The signconf indeed had a 'keep'. Using an enforcer policy import 
changed it into 'datecounter'.

However, the system log shows some strange messages during the import 
operation:

2016-09-16T12:48:12.257225+02:00 kvir07 ods-enforcerd: INFO: The XML in 
/etc/opendnssec/kasp.xml is valid
2016-09-16T12:48:12.257576+02:00 kvir07 ods-enforcerd: WARNING: No policy 
named 'default' in /etc/opendnssec/kasp.xml. This means you will need to 
refer explicitly to the policy for each zone
2016-09-16T12:48:12.257742+02:00 kvir07 ods-enforcerd: WARNING: In policy 
SIDN, Y used in duration field for Keys/KSK Lifetime (P1Y) in 
/etc/opendnssec/kasp.xml - this will be interpreted as 365 days
2016-09-16T12:48:12.257897+02:00 kvir07 ods-enforcerd: WARNING: In policy 
SIDN, M used in duration field for Keys/ZSK Lifetime (P3M) in 
/etc/opendnssec/kasp.xml - this will be interpreted as 31 days
2016-09-16T12:48:12.258054+02:00 kvir07 ods-enforcerd: WARNING: In policy 
RuG, Y used in duration field for Keys/KSK Lifetime (P1Y) in 
/etc/opendnssec/kasp.xml - this will be interpreted as 365 days
2016-09-16T12:48:12.258315+02:00 kvir07 ods-enforcerd: WARNING: In policy 
RuG, M used in duration field for Keys/ZSK Lifetime (P3M) in 
/etc/opendnssec/kasp.xml - this will be interpreted as 31 days
2016-09-16T12:48:12.258789+02:00 kvir07 ods-enforcerd: [policy_import] 
policy SIDN updated
2016-09-16T12:48:12.259838+02:00 kvir07 ods-enforcerd: [policy_import] 
policy RuG updated
2016-09-16T12:48:12.260044+02:00 kvir07 ods-enforcerd: [signconf_cmd] 
performing signconf for all zones
2016-09-16T12:48:12.261957+02:00 kvir07 ods-enforcerd: [signconf_cmd] 
signconf done, notifying signer
2016-09-16T12:48:12.265637+02:00 kvir07 ods-enforcerd: [enforce_task] No 
changes to any signconf file required
2016-09-16T12:48:12.267431+02:00 kvir07 ods-signerd: [nsec3] invalid salt 0
2016-09-16T12:48:12.267635+02:00 kvir07 ods-signerd: [nsec3] unable to 
create: create salt failed
2016-09-16T12:48:12.267804+02:00 kvir07 ods-signerd: [signconf] unable to 
read signconf /var/opendnssec/signconf/KVI.nl.xml: nsec3params_create() 
failed
2016-09-16T12:48:12.267963+02:00 kvir07 ods-signerd: [signconf] unable to 
update signconf: failed to read file /var/opendnssec/signconf/KVI.nl.xml 
(Memory allocation error)
2016-09-16T12:48:12.268116+02:00 kvir07 ods-signerd: [zone] unable to load 
signconf for zone KVI.nl: signconf /var/opendnssec/signconf/KVI.nl.xml 
Memory allocation error
2016-09-16T12:48:12.268271+02:00 kvir07 ods-signerd: [tools] unable to load 
signconf for zone KVI.nl: Memory allocation error
2016-09-16T12:48:12.268427+02:00 kvir07 ods-signerd: [worker[1]] continue 
task [sign] for zone KVI.nl
2016-09-16T12:48:12.466672+02:00 kvir07 ods-enforcerd: [signconf_cmd] 
performing signconf for all zones
2016-09-16T12:48:12.468766+02:00 kvir07 ods-enforcerd: [signconf_cmd] 
signconf done, notifying signer
2016-09-16T12:48:12.472990+02:00 kvir07 ods-enforcerd: [signconf_cmd] 
performing signconf for all zones
2016-09-16T12:48:12.474993+02:00 kvir07 ods-enforcerd: [signconf_cmd] 
signconf done, notifying signer
2016-09-16T12:48:12.485463+02:00 kvir07 ods-signerd: [signconf] zone KVI.nl 
signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] 
JITTER[P1D] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[P1D] MINIMUM[PT3H] 
SERIAL[datecounter]
2016-09-16T12:48:12.839254+02:00 kvir07 ods-signerd: [STATS] KVI.nl 
2016091604 RR[count=1 time=0(sec)] NSEC3[count=676 time=0(sec)] 
RRSIG[new=682 reused=2963 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
2016-09-16T12:48:12.880746+02:00 kvir07 ods-signerd: [worker[1]] continue 
task [sign] for zone KVI.nl


I use explicit policies, so the default policy is not needed. I am worried a 
bit about the signer messages about salt and about Memory allocation error. 
It seems that it recovered from that, but I am not sure. I will monitor it 
the next few hours to see if it keeps running. At least the "ods-signer 
sign --all" can now be used several times without the need to update the 
input zone.

More information about the Opendnssec-user mailing list